SysPatrol - Server Security Monitor

Transcription

1 SysPatrol Server Security Monitor User Manual Version 2.2 Sep

2 Product Overview SysPatrol is a server security monitoring solution allowing one to monitor one or more servers and detect unauthorized changes in the system files, kernel drivers, system services, installed software products and registry database. The user is provided with the ability to learn a reference server configuration, periodically monitor the server configuration, detect all unauthorized system changes, automatically save reports and send notifications. SysPatrol Server allows one to send notifications, submit error messages to the system event log and/or automatically save HTML, ASCII text, Excel CSV, XML or PDF reports when one or more unauthorized system changes are detected in a server. In addition, the user is provided with the ability to keep a history of system changes in an SQL database. Initially, SysPatrol scans the system configuration and saves a reference state of the system files (including SHA256 signatures), installed kernel drivers and system services, the state of the registry database and the installed software products and Windows updates. During the monitoring stage, SysPatrol periodically scans the current system configuration and compares it with the reference configuration detecting all newly created, modified and/or deleted system files, kernel drivers, system services, registry database entries or software products. By default, SysPatrol applies the most rigorous set of settings capable of detecting all types of changes, but if required, the system configuration may be customized for less secure environments thus minimizing the number of change alerts issued for minor or not important configuration changes. SysPatrol is especially designed to run on production servers using a very small amount of the system memory (6MB-8MB) and intentionally slowing down monitoring operations in order to minimize the performance impact on running production applications. By default, SysPatrol Server is configured to use up to 1%-2% of a single CPU core during the system learning and verification stages, which typically take up to 5 minutes per day. In order to simplify deployment and everyday use, SysPatrol Server provides a very simple web-based management interface allowing one to control, configure and manage the product locally or through the network using a regular web browser. The user is provided with a number of fully automatic configuration wizards allowing one to install SysPatrol Server and configure system monitors within a couple of minutes making it very easy to deploy the product even for novice computer users. 2

3 Product Installation Procedure SysPatrol Server is especially designed to be as simple as possible. The product does not require any third-party software applications and may be installed and configured within a couple of minutes. A fully functional 30-days trial version of SysPatrol Server may be downloaded from the following page: The installation package is very small, 5MB - 6MB depending on the target operating system, and the product requires just 10MB of the free disk space on the target server. In order to install SysPatrol Server, start the setup program, select a destination directory and press the 'Next' button. Optionally, enter custom server control and/or web access ports. The server control port is used by the SysPatrol command line utility and the web access port is the port for the webbased management interface allowing one to control SysPatrol Server using a standard web browser. If SysPatrol Server should be controlled remotely through the network, make sure one or both of these ports are open in the server's firewall. 3

4 Initial Product Configuration In order to simplify deployment and everyday use, SysPatrol provides a number of fully automated configuration wizards allowing one to setup and configure the product within a couple of minutes. First of all, login to the SysPatrol Server web-based management console using a standard web browser (default user name and password: admin/admin). After finishing the installation procedure, the product is fully functional, but no system monitors are defined in the product configuration. In the simplest case, in order to initialize the default product configuration, just press the 'Init Default Configuration' button. By default, SysPatrol Server applies the most rigorous set of configuration options making sure that all types of system changes are detected. During the initialization process, SysPatrol will scan the current system configuration and save it as the reference system configuration. By default, SysPatrol Server will save the state of the system files (including SHA256 signatures), installed kernel drivers and system services, installed network protocols, the state of the registry database and installed software products and Windows updates. During the monitoring stage, the saved reference configuration will be used to detect unauthorized system changes. The SysPatrol configuration wizard will create all the required system monitors and setup a daily periodic system test, which will verify the system configuration every 24 hours. If required, the automatically created system monitors and periodic system tests may be customized and tuned for user-specific needs and requirements. 4

5 Manual System Test In order to test the current system configuration manually, press the 'Verify' button located on the main server status page, select the system monitors to test and press the 'Verify' button. During the verification process, SysPatrol will scan the current system configuration, compare it to the reference system configuration and report all detected changes. When one or more unauthorized changes are detected, SysPatrol saves a report file and sends an notification if configured. In order to review detected configuration changes, login into the SysPatrol web-based management interface and click on a system monitor showing unauthorized changes. For each detected configuration change, SysPatrol shows the current value and the reference value, which was saved during the system configuration learning stage. In order to export detected configuration changes to a report file, press the 'Export' button, select a report file format and press the 'Export' button. 5

6 Periodic Tests and Monitoring SysPulsar Server provides the ability to periodically monitor the system configuration, save reports and/or send notifications when one or more unauthorized changes are detected. By default, SysPatrol creates a daily system test, which verifies the system configuration every 24 hours. In order to customize the default periodic system test created by the SysPatrol Server configuration wizard, press the 'Schedule' button located on the main status page. The automatically created daily system test verifies system files, system services, kernel drivers, network protocols, the registry database and installed software packages. In addition, the user is provided with the ability to change periodic tests schedule and/or create new periodic tests configured according to user specific needs. In order to add a new periodic test, press the 'Add' button located on the 'Periodic Tests' page. On the periodic test page, set the time interval to execute the periodic test at, select the system monitors that should be verified and press the 'Save' button. SysPatrol Server will verify the selected system monitors periodically according to the specified time interval, detect all unauthorized system changes, save change reports and send notifications if configured. 6

7 Reports and Notifications SysPatrol Server allows one to save HTML, ASCII text, Excel CSV, XML or PDF reports or send notifications when one or more unauthorized system changes detected. In order to setup reports and/or notifications, click the 'Settings' link located on the top menu bar and click the 'Reports and Notifications' link located on the settings page. SysPatrol Server provides the ability to configure multiple report and/or notification actions allowing one to generate different types of reports and/or send notifications to multiple destinations addresses. In order to add a new report or notification action, press the 'Add' button located on the reports and notifications page. For report actions, the user is provided with the ability to specify an absolute file name or a directory name to save the report to. If an existing directory is specified, SysPatrol Server will automatically generate file names containing the date and time of the test and save reports to the directory. For notification actions, the user is provided with the ability to specify the destination address to send notifications to. In addition, in order to enable notifications, the user is required to configure an SMTP server to use to send notifications. 7

8 Sending Notifications In order to configure notifications, open the main settings page, click on the 'Reports and Notifications' link and press the 'Add Action' button. On the new action page, select the 'Send HTML Notification' action type, enter a destination address, enter the number of system changes to trigger the notification and press the 'Save' button. In addition, open the main settings page, click on the 'Configure Server' link, enter the host name or an IP address of the SMTP server, account name and password to use to send notifications. When one or more system changes will be detected, SysPatrol will send an notification to the specified address. Each notification includes the name of the test triggered the notification, the host name of the server, the date and time of the test and the list of detected system changes. 8

9 SQL Database Integration SysPatrol Server provides the ability to save detected system changes to an SQL database allowing one to keep a history of all changes for future review and analysis. In order to enable SQL database export, click the 'Reports and Notifications' link located on the main settings page, press the 'Add' button to add a new report action, select the SQL database report format and press the 'Save' button. SysPatrol Server exports SQL database reports through the ODBC database interface, which should be configured to operate properly. In order to configure the ODBC database interface, click on the 'Configure SQL Database' link located on the main settings page, enable the ODBC database interface, specify the ODBC data source, ODBC user name and password to use to save reports to the SQL database. 9

10 System Event Log Integration Another option to send notifications about unauthorized system changes is to submit error messages or warnings to the system event log. In order to add a system event log notification action, click the 'Settings' link located on the top menu bar, click the 'Reports and Notifications' link located on the settings page and press the 'Add' button. On the notification action page, select the 'Send Error to System Event Log' action type, enter an error message to submit to the system event log, enter the number of system changes to trigger the action and press the 'Save' button. During the monitoring stage SysPatrol Server will verify the system configuration and submit the error message to the system event log when the specified number of system changes is detected. 10

11 Managing System Tests and Monitors In general, the default product configuration created by the SysPatrol Server configuration wizard should be good enough for most users, but sometimes it may be required to tune the SysPatrol Server configuration for user-specific needs and requirements. In order to customize the configuration of a system monitor, press the 'Setup Monitor' button located in the 'Tools' column on the main status page. The 'System Files' test monitors the integrity of the operating system files. By default, the 'System Files' test is configured to monitor executable programs, DLL libraries and configuration files located in the Windows system directory and the 'Program Files' directory. During the learning stage, SysPatrol Server saves the state of the system files (including SHA256 signatures) and during the monitoring state verifies the integrity of all files by comparing file names, attributes, last modification dates and signatures with the reference system configuration. 11

12 The 'Kernel Drivers' and 'System Services' tests monitor the configuration of Windows kernel drivers and system services. During the learning stage, SysPatrol Server saves the reference configuration of kernel drivers and system services and during the monitoring stage verifies the system configuration by comparing kernel drivers and system services names, startup modes, statuses, attributes, registered executables, etc. In addition, SysPatrol Server detects newly created and deleted kernel drivers and system services. The 'Network Protocols' test monitors and verifies the installed network protocols. SysPatrol Server is capable of monitoring and verifying all types of network protocols including hidden protocols, which are not visible in the Windows control panel. For each network protocol, SysPatrol Server verifies the protocol version, provider flags, service flags, security scheme, etc. In addition, SysPatrol Server detects all newly created and deleted network protocols. 12

13 The 'Registry Database' test monitors a number of important registry database keys, which are controlling execution of startup programs on the server. In order to add one or more custom registry keys to the SysPatrol configuration, click on the 'Add' link located beside the first registry key and select a root key and a sub key to monitor. By default, SysPatrol Server detects newly created, modified and deleted registry keys and values. In addition, SysPatrol Server detects unexpected changes in registry keys last modification dates and times. The 'Installed Software' test monitors the installed software products and Windows updates. By default, SysPatrol Server detects newly installed, modified or uninstalled software packages and Windows updates. In order to disable detection of changing Windows updates, unselect the 'Detect Changes in Windows Software Updates' option. 13

14 History Reports By default, SysPatrol Server keeps a history of the last 30 reports showing previously detected configuration changes. In order to access the history reports, press the 'Reports' button located on the SysPatrol Server home page. For each report, SysPatrol shows the test name, the date and time of the test and the number of detected system changes. In addition, the user is provided with the ability to export each report to a number of standard formats including HTML, PDF, Excel CSV and XML. In order to delete a history report, press the report 'Delete' button displayed in the 'Tools' column. In order to delete all history reports, press the 'Delete All' button located below the report list. 14

15 Updating System Configuration Each time a system administrator installs a new software package or changes the system configuration, SysPatrol will report about one or more detected system changes. In order to update the reference system configuration, the user needs to login into the SysPatrol webbased management interface, press the 'Update' button, select the system monitors to update and press the 'Update' button. During the system configuration update process, SysPatrol will rescan the current system configuration and save it as the reference system configuration. Once the system configuration update process is completed, SysPatrol will resume monitoring with the new reference system configuration and report about all subsequent configuration changes. If required, all previously detected configuration changes may be reviewed in the configuration changes reports history. In addition, in order to automate the system configuration update process, SysPatrol provides the command line utility, which is capable of initializing the default system configuration, updating the reference system configuration and verifying the current system configuration. The SysPatrol command line utility may be used locally or through the network to configure and control one or more SysPatrol servers. 15

16 Configuring SysPatrol Server SysPatrol Server provides a variety of configuration options allowing one to easily integrate the product into a user-specific network environment. In order to open the main settings page, click on the 'Settings' link located on the top menu bar. The SysPatrol Server web-based management console, requires users to login with a SysPatrol user name and password. The default user name and password is set to admin/admin. In addition, SysPatrol Server provides the ability to set a custom user name and/or password for the SysPatrol web-based management interface and the command line utility, which may be used to automate configuration and management tasks. In order to set a custom user name and password, click on the 'Configure Server Login' link located on the main settings page, enter a new user name and password and press the 'Save' button. 16

17 SysPatrol Server uses the TCP/IP port 9140 as the default server control port and the TCP/IP port 80 as the default web access port. Sometimes, these ports may be in use by some other software products or system services. If one or both of these ports are in use, SysPatrol will be unable to operate properly and the user needs to change the SysPatrol server control port and/or web access port. In order to set a custom server control port and/or web access port, click on the 'Setup Server Ports' link located on the main settings page, select the 'Use Custom Port' option and enter a custom port number to use. If the SysPatrol server should be controlled through the network, make sure the custom ports are open in the server's firewall. SysPatrol Server provides the ability to send notifications when a user-specified number of system changes is detected. In order to configure an SMTP server to use to send E- Mail notifications, click on the 'Configure Server' link located on the main settings page, enter the SMTP server host name, SMTP server port, SMTP user name, password and the source address to use to send notifications. 17

18 Web-Based Interface SysPatrol Server provides a complete web-based management interface, which allows one to fully control, manage and configure one or more SysPatrol servers locally or though the network using a standard Web browser. By default, the web-based interface uses the TCP/IP port 80, which is the default HTTP port web browsers are using to connect to a web server. The SysPatrol web-based interface is a dynamic web application, which shows the current status of the server and the progress of performed operations without reloading the currently displayed web page. In order to operate properly, the web-based interface requires JavaScript to be enabled in the web browser. 18

19 Using Command Line Utility in the Interactive Mode In addition to the web-based management interface, SysPatrol Server provides a command line utility, which may be used to control, manage and configure one or more SysPatrol Servers locally or through the network. By default, the SysPatrol command line utility is located in the '<Product Dir>\bin' directory. When executed without any command line parameters, the command line utility operates in the interactive mode showing available menus, accepting commands and executing selected operations. The interactive mode is very simple to use, all available commands are displayed in a self-explanatory way making it very easy to setup and configure the product even for a novice computer user. For example, in order to verify the current system status, start the SysPatrol command line utility without any command line parameters, type "1" to enter the "Status" menu and then type "4" to verify the current system status. If any system changes will be detected during the verification process, SysPatrol will save reports and send notifications according to the configured report generation and notification actions. 19

20 Using the Command Line Utility in the Batch Mode In addition to the interactive mode, the command line utility may be executed in the batch mode with a variety of command line parameters and options allowing one to automate control, configuration and management of one or more SysPatrol Servers using batch files or shell scripts. For example, in order to initialize the SysPatrol configuration, learn the current server status and save the reference system configuration, type the following command: syspatrol -init SysPatrol Server will create default system tests, learn the current server status, save the reference system configuration and create a daily periodic system test, which will be executed every 24 hours. In order to verify the current system status, type the following command: syspatrol -verify SysPatrol will scan the current system configuration, compare it with the reference system configuration, save reports and send notifications if required. For detailed information about available command line options, execute the command line utility with the '-help' command line parameter. 20

21 Product Update Procedure Flexense develops SysPatrol Server using a fast release cycle with minor product versions, updates and bug fixes released almost every month and major product versions released every year. New product versions and product updates are published on the product web site and may be downloaded from the following page: Due to the fact that the product is especially designed for servers running in production environments where stability is a major decision factor, SysPatrol Server updates should be manually performed by the user. In order to update an existing product installation, download the latest product version and just start the setup program. The SysPatrol Server setup program will properly shutdown the running SysPatrol Server, update the product and restart the SysPatrol service after finishing the update procedure. All product configuration files, the saved reference system configuration and product registration will remain valid and there is nothing to reconfigure or manage after the update. 21

22 Product Registration Procedure Within a couple of hours after purchasing a product license, the customer will receive two e- mail messages: the first one confirming the payment and the second one containing an unlock key, which should be used to register the product. If you will not receive your unlock key within 24 hours, please check your spam box and if the unlock key is not in the spam box contact our support team: If the computer where SysPatrol is installed on is connected to the Internet, login to the SysPatrol server (default user name and password: admin/admin) using a standard web browser, click on the 'About' link located on the top menu bar, press the 'Register' button, enter your name or your company name, enter the received unlock key and press the 'Register' button. If the computer is not connected to the Internet, press the 'Manual Registration' button, export the product ID file and send the product ID file to as an attachment. Within a couple of hours, you will receive an unlock file, which should be imported in order to finish the registration procedure. 22

23 OEM Product Version Flexense provides system integrators, value-added distributors and IT service providers with the ability to resell SysPatrol Server and/or provide services based on the product under thirdparty brand names. Resellers and integrators are provided with the ability to change the product name, the product web site address, the product vendor name and the product vendor web site address. In order to be able to set custom OEM product and vendor information, the user needs to register the product using a special OEM-Enabled unlock key, which may be purchased on the product purchase page. Once the product is registered using an OEM unlock key, open the 'About' page, press the 'Set OEM Info' button, specify your custom OEM product and vendor information and press the 'Save' button. Custom OEM product and vendor information will be displayed on all pages of the SysPatrol web-based management interface, in all types of reports generated by the product and all notification messages sent by SysPatrol Server. 23

Installation Instruction STATISTICA Enterprise Small Business Notes: ❶ The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b) workstation installations

Kaseya 2 Ping Monitor User Guide for Network Monitor 4.1 June 5, 2012 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations.

Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS Notes 1. The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b)

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

2011 AdRem Software, Inc. This document is written by AdRem Software and represents the views and opinions of AdRem Software regarding its content, as of the date the document was issued. The information

Metalogix SharePoint Backup Publication Date: August 24, 2015 All Rights Reserved. This software is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this

Kaseya 2 VMware Performance Monitor Quick Start Guide for Network Monitor 4.1 June 7, 2012 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private

LifeSize Control Installation Guide April 2005 Part Number 132-00001-001, Version 1.0 Copyright Notice Copyright 2005 LifeSize Communications. All rights reserved. LifeSize Communications has made every

File Management Utility User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held

Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

Kaseya 2 Syslog Monitor Quick Start Guide for Network Monitor 4.1 June 5, 2012 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector

QUANTIFY INSTALLATION GUIDE Thank you for putting your trust in Avontus! This guide reviews the process of installing Quantify software. For Quantify system requirement information, please refer to the

Xerox econcierge Account Setup Guide Xerox econcierge Account Setup Guide The free Xerox econcierge service provides the quickest, easiest way for your customers to order printer supplies for all their

User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5 What is this document for? This document is a Step-by-Step Guide that can be used to quickly install Spam Marshall SpamWall on Exchange

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

Aradial Technologies Ltd. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

Important Please read this User s Manual carefully to familiarize yourself with safe and effective usage. About This Manual This manual describes how to install and configure RadiNET Pro Gateway and RadiCS

Release Notes for Websense Email Security v7.2 Websense Email Security version 7.2 is a feature release that includes support for Windows Server 2008 as well as support for Microsoft SQL Server 2008. Version

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

HP LeftHand SAN Solutions Support Document Installation Manuals Installation and Setup Guide Health Check Legal Notices Warranty The only warranties for HP products and services are set forth in the express

Version 3.2 User Guide Copyright 2002-2009 Snow Software AB. All rights reserved. This manual and computer program is protected by copyright law and international treaties. Unauthorized reproduction or

Getting started Corporate Edition Copyright 2005 Corporation. All rights reserved. Printed in the U.S.A. 03/05 PN: 10362873 and the logo are U.S. registered trademarks of Corporation. is a trademark of

+ Welcome to The Sentry-go Monitoring System v6 Monitoring made quick & easy! Be Proactive, Not Reactive! 3Ds (UK) Limited http://www.sentry-go.com Welcome to Sentry-go Sentry-go is a quick & easy to use

Start-Up Guide This Start-Up Guide has been designed to guide you through the Phoenix installation process and get you ready for use. Component Considerations Before performing the actual Phoenix SQL installation,

v11 TABLE OF CONTENTS System Requirements... 1 NEW INSTALLATION... 2 UPGRADE from a previous version of DOVICO Timesheet... 4 System Requirements Deployment Options Either installed on your server or use

Installation and Deployment Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc. Installation and Deployment SmarterStats

NETWRIX USER ACTIVITY VIDEO REPORTER ADMINISTRATOR S GUIDE Product Version: 1.0 January 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute

ESET Mobile Security Business Edition for Windows Mobile Installation Manual and User Guide Click here to download the most recent version of this document Contents 1. Installation...3 of ESET Mobile Security

Welcome to Support Express by Shakambaree Technologies Pvt. Ltd. Introduction: This document is our sincere effort to put in some regular issues faced by a Digital Signature and USB Token user doing on

Installing The SysAidTM Server Locally Document Updated: 17 October 2010 Introduction SysAid is available in two editions: a fully on-demand ASP solution and an installed, in-house solution for your server.

Start-Up Guide This Start-Up Guide has been designed to guide you through the Phoenix installation process. Component Considerations Before performing the actual Phoenix installation, first decide where

Ver.4.1 Important This System Guide applies to RadiNET Pro Ver. 4.1. Please read this System Guide and the User s Manual on the RadiNET Pro CD-ROM carefully to familiarize yourself with safe and effective

Notes: STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER 1. These instructions focus on installation on Windows Terminal Server (WTS), but are applicable

MobileStatus Server Installation and Configuration Guide Guide to installing and configuring the MobileStatus Server for Ventelo Mobilstatus Version 1.2 June 2010 www.blueposition.com All company names,

Installation Guide Version 1.5 May 2015 Edition 2002-2015 ICS Learning Group 1 Disclaimer ICS Learning Group makes no representations or warranties with respect to the contents or use of this manual, and

Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from